To support this purpose, the document has been structured in two (2) parts.  

Part 1 outlines the following five (5) mandatory Core Requirements:

Core Requirement 1    The Agency Head must ensure there is an effective system of internal control over the financial and related operations of the agency

Core Requirement 2    The CFO must provide the Agency Head with an annual Letter of Certification as to the effectiveness of the system of internal control over financial information. Once the Letter of Certification is accepted by the Agency Head, the CFO must ensure that a copy is provided to NSW Treasury

Core Requirement 3    The CFO Letter of Certification must be supported by an Internal Control Questionnaire designed to assess the overall adequacy of the existing system of internal control over financial information and completed by the CFO

Core Requirement 4    The CFO, when preparing the CFO Letter of Certification, must request and consider certifications provided by management, and outsourced and shared service providers

Core Requirement 5    The CFO must submit a copy of the Letter of Certification and supporting documentation to the Audit and Risk Committee (ARC) for review. The ARC must review the Letter of Certification and provide advice to the Agency Head and, where applicable, to the governing board.

Compliance with the Policy is mandatory for all material entities (other than State Owned Corporations) identified as material in the NSW Government Budget Papers. This includes departments, statutory bodies, and other entities. State Owned Corporations are strongly encouraged to comply with all of the Core Requirements and to benchmark their systems of internal control over financial information against the guidance in this Policy and Guidelines Paper.

The CFO Letter of Certification is required to be submitted to NSW Treasury on or before15 September, and is intended to cover the prior financial year.

Core Requirement 1 reflects an existing requirement in the Public Finance and Audit Act 1983 (PFAA).  While the legislative requirement does not apply to State Owned Corporations, the Guidelines for Boards of Government Businesses (TPP 09-02) notes that “Businesses should develop a sound system of risk oversight and management and internal control”.

Core Requirement 2 formalises an existing requirement that has previously been implemented by an annual letter to agencies. Core Requirements 3 to 5 relate to the processes underpinning the Letter of Certification to:

• promote consistency of practice across the sector in assessing and providing assurance on the effectiveness of the system of internal control
• set minimum standards for agencies around NSW Treasury’s requirements relating to the Letter of Certification.

Core Requirement 5 requires a copy of the CFO Letter of Certification to be provided to the ARC for review.  For those agencies listed in Schedules 2 and 3 of the PFAA, the ARC’s role in providing advice to the Agency Head regarding the processes undertaken to provide the Certification is consistent with the ARC’s responsibilities for oversight of an agency’s internal control framework as outlined in the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03). For other agencies, the provision of advice by the ARC in relation to an agency’s system of internal control is not only consistent with better practice but is a responsibility already assumed by the ARC in the majority of agencies.

Part 2 provides guidance intended to support agencies to implement the Core Requirements.  The guidance is provided in the form of 10 better practices for an effective system of internal control over financial information:

1. A strong financial management culture including tone at the top
2. Clear definition of financial reporting roles and responsibilities
3. Financial reporting planning
4. Appropriate allocation of resources and competent staff for financial information
   and reporting functions
5. Identification and monitoring of financial reporting compliance obligations
6. Financial information risk management
7. Internal control activities for financial information and reporting
8. Effective financial information management including proper record-keeping
9. Financial information performance monitoring and evaluation
10. Continuous improvement

Templates and examples of checklists to be used by the CFO and the ARC are provided as Annexures to this Policy and Guidelines Paper. With the exception of the CFO Letter of Certification (Annexure B), the templates and examples are intended to provide guidance and, if used, must be adapted to the needs and circumstances of the agency.